fix(env): prevent secret leakage to external applications

- Add getCleanEnvForLaunch() that strips ~/.kenv/.env secrets from env
- Rewrite open.ts to spawn macOS .app executables directly (bypasses Launch Services)
- Update exec() to use clean env by default, preventing secret inheritance
- Use AppleScript for terminal opening (more reliable than open -a with path)
- Switch VS Code action to use `code` CLI instead of `open -a`
- Pass clean env to editor spawns in terminal.ts edit function

Author: johnlindquist

src/api/packages/open.ts

@@ -1,3 +1,156 @@
-import open, { openApp } from "@johnlindquist/open"
-;(global as any).open = open
-global.openApp = openApp
+import originalOpen, { openApp as originalOpenApp, type Options } from "@johnlindquist/open"
+import { getCleanEnvForLaunch } from "../../platform/base.js"
+import { spawn, execSync } from "node:child_process"
+import { existsSync } from "node:fs"
+import { join, basename } from "node:path"
+
+/**
+ * Gets the executable path inside a macOS .app bundle.
+ * Uses PlistBuddy to read CFBundleExecutable from Info.plist.
+ */
+const getAppExecutable = (appPath: string): string | null => {
+	if (!appPath.endsWith(".app")) {
+		return null
+	}
+
+	const infoPlistPath = join(appPath, "Contents", "Info.plist")
+	if (!existsSync(infoPlistPath)) {
+		return null
+	}
+
+	try {
+		// Use PlistBuddy to read the executable name from Info.plist
+		const executableName = execSync(
+			`/usr/libexec/PlistBuddy -c "Print :CFBundleExecutable" "${infoPlistPath}"`,
+			{ encoding: "utf-8" }
+		).trim()
+
+		if (!executableName) {
+			return null
+		}
+
+		const executablePath = join(appPath, "Contents", "MacOS", executableName)
+		if (existsSync(executablePath)) {
+			return executablePath
+		}
+	} catch {
+		// Try to guess based on app name (common pattern)
+		const appName = basename(appPath, ".app")
+		const guessedPath = join(appPath, "Contents", "MacOS", appName)
+		if (existsSync(guessedPath)) {
+			return guessedPath
+		}
+	}
+
+	return null
+}
+
+/**
+ * Launches a macOS app by spawning its executable directly.
+ * This ensures the app inherits our clean environment instead of getting
+ * environment from launchd/Launch Services.
+ *
+ * The macOS `open -a` command uses Launch Services, which starts apps with
+ * environment from launchd - NOT from the calling process. This is why
+ * passing env to spawn('open', ...) doesn't work for GUI apps.
+ */
+const launchMacOSApp = (appPath: string, cleanEnv: Record<string, string>): void => {
+	const executablePath = getAppExecutable(appPath)
+
+	if (executablePath) {
+		// Spawn the executable directly - it WILL inherit the clean environment
+		const child = spawn(executablePath, [], {
+			env: cleanEnv,
+			detached: true,
+			stdio: "ignore"
+		})
+		child.unref()
+	} else {
+		// Fallback: use open command (env won't be inherited, but at least it works)
+		const child = spawn("open", ["-a", appPath], {
+			env: cleanEnv,
+			detached: true,
+			stdio: "ignore"
+		})
+		child.unref()
+	}
+}
+
+/**
+ * Open a target (URL, file, or app) with a clean environment.
+ *
+ * For macOS .app bundles, this spawns the executable directly to ensure
+ * the clean environment is inherited. For other targets (URLs, files),
+ * it uses the original open package.
+ */
+const openWithCleanEnv = (target: string, options?: Options) => {
+	const cleanEnv = getCleanEnvForLaunch()
+
+	// Check if this is a macOS .app bundle
+	if (process.platform === "darwin" && target.endsWith(".app") && existsSync(target)) {
+		launchMacOSApp(target, cleanEnv)
+		// Return a fake promise that resolves to a fake child process for API compatibility
+		return Promise.resolve({
+			pid: 0,
+			unref: () => {},
+			ref: () => {},
+			kill: () => true
+		} as unknown as ReturnType<typeof originalOpen>)
+	}
+
+	// For non-.app targets, use the original open package with clean env
+	return originalOpen(target, {
+		...options,
+		env: cleanEnv
+	})
+}
+
+/**
+ * Open an app by name with a clean environment.
+ *
+ * For macOS, resolves the app name to a path and spawns the executable directly.
+ */
+const openAppWithCleanEnv = async (
+	name: string | readonly string[],
+	options?: Parameters<typeof originalOpenApp>[1]
+) => {
+	const cleanEnv = getCleanEnvForLaunch()
+
+	if (process.platform === "darwin") {
+		// Handle array of app names (try each until one works)
+		const appNames = Array.isArray(name) ? name : [name]
+
+		for (const appName of appNames) {
+			// Common app locations on macOS
+			const possiblePaths = [
+				`/Applications/${appName}.app`,
+				`/Applications/${appName}`,
+				`/System/Applications/${appName}.app`,
+				`/System/Applications/${appName}`,
+				`${process.env.HOME}/Applications/${appName}.app`,
+				`${process.env.HOME}/Applications/${appName}`
+			]
+
+			for (const appPath of possiblePaths) {
+				if (existsSync(appPath) && appPath.endsWith(".app")) {
+					launchMacOSApp(appPath, cleanEnv)
+					return Promise.resolve({
+						pid: 0,
+						unref: () => {},
+						ref: () => {},
+						kill: () => true
+					} as unknown as ReturnType<typeof originalOpenApp>)
+				}
+			}
+		}
+	}
+
+	// Fallback to original openApp with clean env
+	return originalOpenApp(name, {
+		...options,
+		env: cleanEnv
+	} as Parameters<typeof originalOpenApp>[1])
+}
+
+;(global as any).open = openWithCleanEnv
+global.openApp = openAppWithCleanEnv

src/globals/execa.ts

@@ -1,5 +1,6 @@
 import * as all from "execa"
 import type { Options } from "execa"
+import { getCleanEnvForLaunch } from "../platform/base.js"
 
 export let execa = all.execa
 global.execa = execa
@@ -9,9 +10,26 @@ global.execaSync = execaSync
 
 export let execaCommand = all.execaCommand
 global.execaCommand = execaCommand
+
+/**
+ * Execute a shell command with a clean environment by default.
+ *
+ * The clean environment:
+ * - Contains the user's normal shell environment (PATH, HOME, LANG, etc.)
+ * - Does NOT contain Script Kit secrets from ~/.kenv/.env files
+ * - Does NOT contain Kit-internal environment variables
+ *
+ * This prevents environment variable leakage when launching external applications
+ * like terminals (iTerm, Terminal), editors (VS Code), or other GUI apps.
+ *
+ * To use the full process.env (including secrets), pass `env: process.env` in options.
+ */
 global.exec = ((command: string, options: Options = {}) => {
   const finalOptions: Options = {
     cwd: process.cwd(),
+    // Use clean environment by default to prevent secret leakage
+    // User can override by passing their own env in options
+    env: getCleanEnvForLaunch(),
     ...options,
     shell: options.shell ?? true,
   }

src/main/common.ts

@@ -96,10 +96,33 @@ export let actionFlags: ActionFlag[] = [
       }
 
       if (isMac) {
-        if (env?.KIT_TERMINAL?.toLowerCase() === 'iterm') {
-          return await exec(`open -a iTerm '${selectedFile}'`)
-        }
-        return await exec(`open -a Terminal '${selectedFile}'`)
+        // Note: Terminal apps will still load shell profiles (.zshrc/.bashrc) which may
+        // source ~/.kenv/.env. To prevent secrets leaking to terminals, users should
+        // guard .env sourcing in their shell profile: [ -n "$KIT" ] && source ~/.kenv/.env
+        //
+        // We use open() which spawns the executable directly with clean env, but the
+        // terminal's shell session will read profiles independently.
+        const terminalApp = env?.KIT_TERMINAL?.toLowerCase() === 'iterm'
+          ? '/Applications/iTerm.app'
+          : '/Applications/Utilities/Terminal.app'
+
+        // Use AppleScript to open terminal at directory (more reliable than open -a with path)
+        const script = env?.KIT_TERMINAL?.toLowerCase() === 'iterm'
+          ? `tell application "iTerm"
+              activate
+              tell current window
+                create tab with default profile
+                tell current session
+                  write text "cd '${selectedFile}'"
+                end tell
+              end tell
+            end tell`
+          : `tell application "Terminal"
+              activate
+              do script "cd '${selectedFile}'"
+            end tell`
+
+        return await exec(`osascript -e '${script.replace(/'/g, "'\"'\"'")}'`)
       }
 
       // Linux support
@@ -125,11 +148,9 @@ export let actionFlags: ActionFlag[] = [
     shortcut: `${cmd}+shift+v`,
     action: async (selectedFile) => {
       hide()
-      if (isMac) {
-        await exec(`open -a 'Visual Studio Code' '${selectedFile}'`)
-      } else {
-        await exec(`code ${selectedFile}`)
-      }
+      // Use `code` CLI on all platforms - it inherits our clean env from exec()
+      // Avoid `open -a` on macOS as it goes through Launch Services and ignores env
+      await exec(`code '${selectedFile}'`)
     }
   },
   ...(process.env?.KIT_OPEN_IN

src/platform/base.ts

@@ -3,6 +3,84 @@
  * Provides clean environment handling for VS Code, terminals, and other apps
  */
 
+import { existsSync, readFileSync } from "node:fs"
+import { kenvPath } from "../core/resolvers.js"
+
+// Cache for env keys to strip (parsed once from .env files)
+let cachedEnvKeysToStrip: Set<string> | null = null
+
+/**
+ * Parses .env file content and returns the keys defined in it
+ */
+const parseEnvKeys = (content: string): string[] => {
+	return content
+		.split("\n")
+		.filter((line) => {
+			const trimmed = line.trim()
+			return trimmed && !trimmed.startsWith("#") && trimmed.includes("=")
+		})
+		.map((line) => line.split("=")[0].trim())
+		.filter(Boolean)
+}
+
+/**
+ * Gets the set of environment variable keys defined in ~/.kenv/.env files
+ * These are Script Kit secrets that should not leak to external applications
+ */
+const getEnvKeysToStrip = (): Set<string> => {
+	if (cachedEnvKeysToStrip) {
+		return cachedEnvKeysToStrip
+	}
+
+	const keysToStrip = new Set<string>()
+	const envFiles = [".env", ".env.local", ".env.development", ".env.production", ".env.kit"]
+
+	for (const file of envFiles) {
+		try {
+			const envPath = kenvPath(file)
+			if (existsSync(envPath)) {
+				const content = readFileSync(envPath, "utf-8")
+				for (const key of parseEnvKeys(content)) {
+					keysToStrip.add(key)
+				}
+			}
+		} catch {
+			// Ignore errors reading .env files
+		}
+	}
+
+	// Also strip Kit-specific internal variables
+	const kitInternalVars = [
+		"KIT",
+		"KENV",
+		"KIT_CONTEXT",
+		"KIT_MAIN_SCRIPT",
+		"KIT_APP_PATH",
+		"KIT_CLEAN_SHELL_ENV",
+		"KIT_DOTENV_PATH",
+		"KIT_ACCESSIBILITY",
+		"KIT_TERMINAL",
+		"KIT_EDITOR",
+		"KIT_OPEN_IN",
+		"PATH_FROM_DOTENV",
+		"PARSED_PATH"
+	]
+
+	for (const key of kitInternalVars) {
+		keysToStrip.add(key)
+	}
+
+	cachedEnvKeysToStrip = keysToStrip
+	return keysToStrip
+}
+
+/**
+ * Clears the cached env keys - useful for testing or when .env files change
+ */
+export const clearEnvKeysCache = (): void => {
+	cachedEnvKeysToStrip = null
+}
+
 /**
  * Gets a clean shell environment for launching external applications
  *
@@ -65,4 +143,33 @@ export const getCleanEnvForExternalApp = (): Record<string, string> => {
 	return cleanEnv
 }
 
-export {}
+/**
+ * Gets a clean environment for launching external applications
+ *
+ * This combines the clean shell environment (from user's shell config) with
+ * explicit removal of any secrets/keys from ~/.kenv/.env files.
+ *
+ * This ensures that:
+ * 1. External apps get the user's normal shell environment (PATH, LANG, etc.)
+ * 2. Script Kit secrets (API keys, etc.) do NOT leak to external processes
+ *
+ * @returns Clean environment suitable for exec() calls that launch external apps
+ */
+export const getCleanEnvForLaunch = (): Record<string, string> => {
+	// Start with the clean shell environment
+	const baseEnv = getCleanEnvForExternalApp()
+
+	// Get keys that should be stripped (from .env files and Kit internals)
+	const keysToStrip = getEnvKeysToStrip()
+
+	// Create final clean env by removing sensitive keys
+	const cleanEnv: Record<string, string> = {}
+
+	for (const [key, value] of Object.entries(baseEnv)) {
+		if (!keysToStrip.has(key)) {
+			cleanEnv[key] = value
+		}
+	}
+
+	return cleanEnv
+}